S'il n'y a pas de solution c'est qu'il n'y a pas de problème!

Apache mod_ssl php mod_perl installation

To begin...

When I first got the weird idea to install apache with mod_ssl, php and mod_perl, my aspirine and coffe bills began to raise in a dangerous way.
This page has been made to help you avoid problems with acetylslicylic acid and coffee...
Follow the proposed order of installation, I noted what part could be cancelled if you only wnat to install a subset of the options.

Files to download

• openssl on http://www.openssl.org
• mod_ssl on http://www.modssl.org
• php on http://www.php.net
• mod_perl on http://perl.apache.org
• apache on http://www.apache.org

Be careful, each version of mod_ssl is associated with a precise version of apache. Pick-up the right one!

To install openssl, you need...perl 5!

Installation of the whole stuff

I suppose that you have uncompressed all the sources in /usr/local/src. You have directories like openssl-x.x.x, mod_ssl-y.y.y-z.z.z, php-u.u.u, mod_perl-v.v.v and apache_z.z.z

openssl (Jump to next § if you do not install mod_ssl)

Go to openssl sources directory and read the INSTALL file ;-) and run:

./config

You can change the install directory with the option -prefix=, you can see all the available options by:

./config --help

Then, run:

make
make test
make install

Let us go to more serious stuff...

mod_ssl patch (jump to next § if you do not install mod_ssl)

mod_ssl modify apache sources... There are several ways to install apache + mod_ssl, I give here what appeared to be the easiest one (dynamic)

Go to the mod_ssl sources directory
Run:

./configure --with-apache=/usr/local/src/apache_z.z.z
--with-ssl=/usr/local/src/openssl-x.x.x --prefix=/usr/local/apache
--enable-module=ssl --enable-module=most --enable-shared=max
--enable-rule=EAPI

where apache_z.z.z is the apache sources directory. All the ./configure options must be written on the command line. --enable-module=ssl --enable-module=all --enable-shared=max --enable-rule=EAPI are apache options. ou can add more options or modify them, for example, the install directory of apache is /usr:local/apache. To know all the available apache options run ./configure --help from apache sources directory.
--enable-rule=EAPI is absolutly required to later add PHP or mod_perl. -DEAPI option will be transmitted to PHP and mod_perl by apxs (see further)

Apache installation with mod_ssl (see further to install apache without mod_ssl)

apache configuration has already been made by mod_ssl. Go to apache sources directory.
Run:

make
make install

apache installation without mod_ssl

Go to apache sources directory.
Run:

./configure --prefix=/usr/local/apache
--enable-module=most --enable-shared=max

You can add, or modify some options, for example apache installation directory which is here /usr/local/apache. To know all the available options, run ./configure --help from apache sources directory. All the options must be written on the command line. Then, make and make install.

PHP installation (jump to next § if you do not install php).

Go to php sources directory.
Run:

./configure --with-imap --with-mysql --with-gettext
--with-apxs=/usr/local/apache/bin/apxs

--with-imap option allows php to get access to an imap email server, --with-gettext allows php to use gettext based localization (use these options only if you need them!!) /usr/local/apache/bin/apxs is the path to the apxs file of apache.
Run ./configure --help to get all the available options of PHP.
Thanks to --with-apxs=/usr/local/apache/bin/apxs, php compilation is correctly done with regards to mod_ssl.

Then, run:

make
make install

Remark: since some "versions", php does not add this (which is required) to apache config file:

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

In the same idea, do not forget:

<IfModule mod_dir.c>
    DirectoryIndex index.html index.php
</IfModule>

mod_perl installation (jump to next § if you do not install mod_perl).

Go to mod_perl sources directory.
Run:

perl Makefile.PL USE_APXS=1
WITH_APXS=/usr/local/apache/bin/apxs EVERYTHING=1

where /usr/local/apache/bin/apxs is the path to apxs file of apache (as usual, this command is to be entered in one piece on the command line)
Thanks to USE_APXS=1 and WITH_APXS=/usr/local/apache/bin/apxs, mod_perl compilation is done correctly with respect to mod_ssl.

Then, run:

make
make install

Create a security certificate (jump to next § if you do not install mod_ssl)

There is a tool for that, its name is openssl (yes...), it is usually located in /usr/local/bin.
We begin by installing a private key. I have chosen not to protect it by a password to avoid the complexity of apache reading a password at each start or restart. Then, you absolutely need that the key file to be only readable by the apache processes owner (which is set in the configuration file of apache httpd.conf).
Make an empty work directory to avoid troubles and run:

/usr/local/bin/openssl genrsa 1024 > name.your.site.key

where obvioulsy name.your.site is the declared name of your web site.

If you want to create a password protected key, run:

/usr/local/bin/openssl genrsa -des3 1024 > name.your.site.key

But in this case, every start of apache require to enter the password for the key.
This can be annoying if you plan some automatic restart of apache.
There is a way to automatically give the password to apache with the option:

SSLPassPhraseDialog exec:your_password_programm

But it's upt to you to write the password programm, be careful!! Some times, it is easier to simply protect a non protected file, than writing a programm that gives a password!!

Then, run:

/usr/local/bin/openssl req -new
-key nom.votre.site.key
-out nom.votre.site.csr

You have to answer some question here. Type a . to leave a field blank. These are my own answers:

• Country Name (2 letters code): FR
• State or Province Name :
• Locality Name: PARIS
• Organization name: (Linux-sottises)
• Organization Unit Name:
• Common name: www.linux-sottises.net (be careful, here you must enter the adress of your web site)
• Email Adress: tnka@linux-sottises.net
• A challenge password:
• An optional company name:

CSR is now created, you can validate it by yourseld to generate a security certificate by running:

/usr/local/bin/openssl req -x509 -days 10000
-key name.your.site.key -in name.your.site.csr
-out name.your.site.crt

-days gives the validity time of the certificate, I put 10000 days ;-)
Now, you have to move the files to the apache install directory. Some sub-directories have been created:

• name.your.site.crt in /usr/local/apache/conf/ssl.crt
• name.your.site.csr in /usr/local/apache/conf/ssl.csr
• name.your.site.key in /usr/local/apache/conf/ssl.key

Check thet these files are only readble by apache processes owner!!

Installation is now over. You have to set up /usr/local/apache/conf/httpd.conf

Apache set up

I do not intend to give full explanations fo httpd.conf, I will only give the need of mod_ssl.
First, note that that apache with mod_ssl starts with:

/usr/local/bin/apachectl startssl

restart, stop, status, fullstatus et configtest remain the same, but start launches apache WITHOUT mod_ssl.

The installation procedure above makes a httpd.conf file where php and mod_perl are only activated with mod_ssl. This can lead to security weakness!! by disabling php when starting without mod_ssl (and making php sources files readable!!)
You can correct thati by changing:

<IfDefine SSL>
LoadModule ssl_module         libexec/libssl.so
LoadModule php4_module        libexec/libphp4.so
LoadModule perl_module        libexec/libperl.so
</IfDefine>

<IfDefine SSL>
LoadModule ssl_module         libexec/libssl.so
</IfDefine>
LoadModule php4_module        libexec/libphp4.so
LoadModule perl_module        libexec/libperl.so

<IfDefine SSL>
AddModule mod_ssl.c
AddModule mod_php4.c
AddModule mod_perl.c
</IfDefine>

<IfDefine SSL>
AddModule mod_ssl.c
</IfDefine>
AddModule mod_php4.c
AddModule mod_perl.c

You can also comment out all the <IfDefine SSL> and the <IfModule mod_ssl.c> (with the corresponding closing tags) so that apache is always started with mod_ssl, even with the start order.

Below, I only explain the complements needed by mod_ssl in httpd.conf.

First, thes lines have been generated:

<IfDefine SSL>
Listen 80
Listen 443
 </IfDefine>

A ssl server listens on 443 port. Do not, forget to open this port on your firewall.

The easiest way to use ssl is to configure virtual hosts.
This is for example the ssl part of a virtual host used by linux-sottises:

NamevirtualHost 62.4.22.49:443
<VirtualHost 62.4.22.49:443>
	SSLEngine On
	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
	SSLCertificateKeyFile conf/ssl.key/webmail.linux-sottises.net.key
	SSLCertificateFile conf/ssl.crt/webmail.linux-sottises.net.crt
	DocumentRoot /webnew/webmail
	ServerName webmail.linux-sottises.net
        CustomLog /var/log/httpd/mail_log common
        ErrorLog /var/log/httpd/mail-error_log
	SetEnvIf User-Agent ".*MSIE.*" \
         	nokeepalive ssl-unclean-shutdown \
         	downgrade-1.0 force-response-1.0
	<Directory "/usr/local/apache/cgi-bin">
    	SSLOptions +StdEnvVars
	</Directory>
	<Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$">
    		SSLOptions +StdEnvVars
	</Files>
</VirtualHost>

If you do not have a fixed IP, you can (from apache 1.3.13) use NameVirtualHost *:443 and <VirtualHost *:443>.
ssl activation is made by SSLEngine on, then the localisation of the certificate is described, followed by classic directives for virtual hosts. Finally, there are specific options generated by apache compilation in the default ssl virtual host. I put all these directives here, and cancelled default ssl virtual host, I find it clearer like that.